XWiki Platform 漏洞列表
共找到 6 个与 XWiki Platform 相关的漏洞
📅 加载漏洞趋势中...
-
XWiki Platform /rest/wikis/xwiki/pages 权限绕过漏洞(CVE-2025-29925) 无POC
XWiki平台是一个通用的维基平台。在15.10.14、16.4.6和16.10.0-rc-1之前,当请求REST端点/rest/wikis/[wikiName]/pages时,即使用户没有查看权限,受保护的页面也会被列出。当整个维基用"防止未注册用户查看页面"保护时,这一点尤其明显:该端点仍会列出维基的页面,但仅限于主维基。这个问题在XWiki 15.10.14、16.4.6、16.10.0RC1中得到了修复。在这些版本中,仍然可以请求该端点,但结果会根据页面的权限进行过滤。 -
CVE-2023-37462: XWiki Platform - Remote Code Execution POC
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable -
CVE-2024-45591: XWiki Platform - Unauthorized Document History Access POC
A vulnerability in XWiki Platform's REST API allows unauthorized users to access document history information. The REST API endpoint exposes the history of any page including modification times, version numbers, author details (username and display name), and version comments, regardless of access rights configuration, even on private wikis. -
CVE-2025-24893: XWiki Platform - Remote Code Execution POC
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1. -
CVE-2025-32430: XWiki Platform - Cross-Site Scripting POC
XWiki Platform versions >= 4.2-milestone-3 and < 16.4.8, >= 16.5.0-rc-1 and < 16.10.6, and >= 17.0.0-rc-1 and < 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. -
XWiki Platform /bin/view/ 代码执行漏洞(CVE-2023-37462) 无POC
XWiki 平台是一个通用的 wiki 平台,为构建在其之上的应用程序提供运行时服务。文档 "SkinsCode.XWikiSkinsSheet" 中的转义不正确会导致从该文档上的视图到编程权限的注入向量,可以执行任意脚本宏,包括 Groovy 和 Python 宏,这些宏允许远程代码执行,包括对所有 wiki 内容的无限制读写访问。攻击者可以通过打开一个不存在的页面来实现,该页面的名称被精心设计为包含危险的有效载荷。可以检查现有安装是否存在漏洞。